Pack CLI Issue w.r.t vulnerabilities.

[kunaljoshi111]

We are using Pack CLI for our builder images. However the final application image has a bunch of go binaries under the /cnb folder. These are time and again flagged by our infosec for go related vulnerabilities.
We want to be in a situation where the app built using pack that does NOT have unwanted go libraries? We want to have lean clean images that only contain what is needed to run the app. Example a NodeJS app should run on an image that only has the base OS and NodeJS. Other stuff such as python, go, perl etc are not required and should not be in that image. How can we achieve the same?

[AidanDelaney]

I need a little more information about your system. Under /cnb I would expect to find the buildpacks that are enabled in your builder, a lifecycle binary and, possibly an extensions binary. What version of lifecyle are you using and what set of buildpacks are you using i.e. are you using Heroku's buildpacks. paketo's buildpacks or your own set of buildpacks? I'm looking for the information encoded in your builder.toml.

[kunaljoshi111]

Hi,
Thanks for responding.

We have built our own buildpacks using the pack CLI.
Pack version is v0.30.0-pre2. We have tried with 0.29 also but same result.
Lifecycle version we are using is 0.9.1 .

I am also attaching a screenshot of the vulnerability scan of our stack and builder image for reference. the builder is generated using pack builder create command.
Our end state should be that if a builder is to be used to run a JDK image, it should only have base OS and JDK. No need to have other unwanted stuff such as go, python, perl etc.

Thanks,
Kunal Joshi